October 5, 2018Bryce

National Cybersecurity Awareness Month

 National Cybersecurity Awareness Month

National Cyber Security Awareness Month is a campaign to promote more awareness of cyber threats and how to stay safe online. Throughout October we’ll be sharing awareness messages to encourage good cyber hygiene habits both at work and at home.

This week I want to change how you think about email senders and links in emails.

Change how I think?! How so?”, you say, in a nervous, slightly alarmist tone as you take a giant chug of coffee.

Here’s how: I’d like to get you to think differently about the links and file attachments in emails and then change how you evaluate them for safety. In a phrase, think before you click.

People are often not clicking carefully because they don’t have an informed perspective. Let’s try a Socratic method exercise to see if you have the right perspective…

Would you let a stranger into your house, no questions asked?

 It seems a silly question: Common sense suggests that you should first ask questions to verify whether the person who wants to enter your home is legitimate – that they are who they say they are. Your questions would be informed by things you observe, such as whether the person attempting to enter is wearing a uniform and the answers they provide.

Ok, let’s think of the same scenario in the cyber sphere…

Would you let a stranger into your computer account, no questions asked?

The same logic applies, right?

Clicking on a link or file attachment is like opening the door to your account.

A mouse click can potentially give your access to a malicious intruder on the outside, and they can steal your confidential information or do serious damage in our network or systems.

But here’s the salient point: Every day, probably hundreds or thousands of times a second, people all over the world are clicking carelessly on links in emails that let intruders or viruses into their email account, computer, and network.

Why do computer users continue to let intruders in?

Email recipients don’t always ask the same types of questions they would ask someone attempting to enter their home.

So, what should you be asking? Let’s keep it simple. There are many clues in an email to assess its legitimacy, but these are the two most basic questions and how to get their answers:

  1. Does the sender’s email address match the name and organization of the purported sender?

An email address format is <username>@< domain>. Does the username look right? Does the domain name appear correct for that affiliated organization (Wentworth’s domain name is “WIT.EDU”)?

If the email address doesn’t match the purported sender, it is suspicious. Don’t click on anything!

  1. Is the link I want to click on reputable and what it claims to be?

To evaluate link, hover your cursor over it to reveal the actual link name. On a mobile device, you may need to “tap and hold” on the link. This shows the actual web address.

Is the web page address what you thought it would be? Most professional emails it should match the domain name of the sender. For example, if the sender was accounts@BigBank.com, the message shouldn’t have links like JimsWaffleHouse.com/login/register in it. See the underlined difference? Don’t click it!

There are more clues in an email to assess its legitimacy, but these are the two most basic questions and how to get the answers.

Behavioral psychologists say it takes several weeks to form a habit. If you are not in the habit of asking these questions to vet the email sender and links, this month is the perfect month to start building that habit!

Questions? Please email me at cunninghamb2@wit.edu

Check out Wentworth’s Information Security Program

Bryce Cunningham, MS, CISSP
Information Security Officer
Division of Technology Services

Bryce

Bryce Cunningham joined COF this Spring in a new role as the Information Security Officer for MassArt and Wentworth. In this role, Bryce facilitates each respective school’s information security program and acts as a trusted advisor to their Chief Information Officer in areas such as information security policy, security awareness and education, program strategy, and risk management. Prior to specializing in information security, Bryce had a long career in IT at Raytheon and GE Healthcare in system administration and software engineering roles. Most recently (2009-2018), Bryce has led information security programs in the public sector: At the City of Boston, Bryce developed and managed the City’s first information security team. He was also the first Chief Information Officer at the Center for Health Information and Analysis, a state agency, and the first Information Security Officer at Framingham State University. From 2012-15, Bryce was a part-time instructor in the Information Assurance Master’s program at Northeastern University where he taught Decision-making in Critical infrastructure Protection. Bryce graduated summa cum laude from Northeastern’s M.S. Information Assurance program in 2010 and has been a Certified Information Systems Security Professional (CISSP) since 2005. Some of the personal pursuits Bryce enjoys are bicycling, chess, lyric writing and, perhaps unsurprisingly, improving home security on a budget.

Leave a Reply

Your email address will not be published. Required fields are marked *